Siemens recently issued an out-of-band security advisory to address critical vulnerabilities in its Sicam power grid products. The affected products include the Sicam A8000 remote terminal unit (RTU), Sicam Enhanced Grid Sensor (EGS), and Sicam 8 software. The vulnerabilities include a critical flaw, CVE-2024-37998, which allows attackers to reset admin passwords without knowing the current one if auto-login is enabled, and a medium-severity issue, CVE-2024-39601, that permits firmware downgrades which could introduce vulnerabilities.
The critical vulnerability, CVE-2024-37998, could enable unauthorized access to administrative functions of the affected applications, posing a significant security risk. Siemens discovered this issue internally and has released firmware updates to address it. The medium-severity flaw, CVE-2024-39601, discovered by SEC Consult, allows attackers with physical access or remote authenticated access to downgrade the device’s firmware to a vulnerable version, potentially leading to arbitrary code execution and backdoor installation.
SEC Consult, which reported CVE-2024-39601, has indicated that while it is not clear if these vulnerabilities can be exploited together for a remote, unauthenticated attack, the risk remains significant. To provide Siemens customers ample time to implement the patches, SEC Consult will delay its detailed advisory until September. This will help prevent immediate threats and secure the power grid systems.
Siemens has made firmware updates available and provided workarounds and mitigations to address these vulnerabilities. The advisory underscores the importance of addressing these issues promptly, given SEC Consult’s past findings of serious vulnerabilities in Siemens products that could potentially disrupt the energy sector or destabilize power grids.